Building a Professional KVM Malware Analysis Lab on Linux

Why Build Your Own Lab? When you start getting serious about malware analysis, your options are usually a cloud sandbox like Any.run or Cuckoo, or a locally spun-up VM with Windows Defender disabled. Both work for basic analysis, but neither gives you the level of control and visibility a dedicated lab provides. A proper lab lets you: See exactly what a sample does at the network level, including decrypted HTTPS traffic Correlate behavioral events across process, registry, file system, and network simultaneously Protect your real IP from appearing in malware C2 infrastructure logs Restore to a clean state in seconds and run the next sample Feed everything into a open-source SIEM for long-term pattern analysis This post walks through building exactly that, from bare metal to a fully operational lab with VPN routing, transparent TLS interception, and Wazuh monitoring across all VMs. ...

July 10, 2026 · Meistsec

How I Hunted the Atomic Arch AUR Stealer on My Own Box

TL;DR On 11 June 2026, attackers hijacked more than 400 Arch User Repository (AUR) packages and rewrote their build scripts to pull a malicious npm package that executed a Rust credential stealer — analyst-named deps — during the build. Sonatype calls the campaign Atomic Arch. Independent researcher Whanos reverse-engineered the payload, and that analysis is the source for most of the indicators here. I run Arch with a Wazuh agent, so I built a hunt around the IOCs and ran it against my own machine. The host came back clean. The interesting part isn’t the verdict — it’s that two checks looked like findings and weren’t: a PID-listing diff that screamed “hidden process,” and a loopback listener on a random high port that had exactly the shape of the malware’s local proxy. Both were artifacts of how the checks work, not evidence. This post is the hunt, why each check is trustworthy or not, the two head-fakes, and how to wire durable detections into Wazuh so the next variant trips an alert on its own. ...

June 15, 2026 · Meistsec

How I Chased a BPFDoor Backdoor in My Robot Vacuum (And Found a Microsecond Timer)

5/18/2026 TL;DR UniFi IDS signature 2069175 (ET MALWARE BPFDoor ICMP Echo Request, X:[COMMAND]) fired on a Roborock Q10 robot vacuum on my IoT VLAN. After a week of “investigation” — packet captures, custom Scapy trigger scripts, isolated test VLANs, the works — the root cause turned out to be a Suricata false positive with an identifiable mathematical cause: the vacuum sends an ICMP heartbeat every 20 seconds whose payload includes a 32-bit microsecond timestamp counter, and that counter rolls through values containing 0x58 0x3a (“X:”) at the rule’s match offset approximately once every few thousand packets. ...

May 18, 2026 · Meistsec

Firewall Configurations

After years on Ubuntu, I switched my daily-driver workstation to Fedora (originally Fedora 36, around the time this post first went up). The piece I want to focus on here is firewall management — specifically, moving off of UFW and learning to drive firewalld properly on a host that runs a lot of virtual machines for security research. firewalld provides a dynamically managed firewall with support for network/firewall zones that define the trust level of network connections or interfaces. It supports IPv4, IPv6, Ethernet bridges, and ipsets, and it cleanly separates runtime and permanent configuration. — firewalld.org ...

April 19, 2022 · Meistsec